Iranian state-affiliated hackers have intensified their cyber espionage efforts, launching a broad phishing campaign that compromised more than 100 official email accounts and targeted over 50 international embassies, ministries, and organizations. The campaign appears carefully coordinated to exploit trust in diplomatic communications and gain access to sensitive information during a time of heightened geopolitical tensions.
Iranian Phishing Campaign Targets Diplomatic and Government Entities Worldwide
The hackers behind the campaign, identified as “Homeland Justice,” used hijacked legitimate government email accounts to deliver spear-phishing messages to diplomatic targets across six continents.
The phishing emails were masked as authentic diplomatic communications and contained Microsoft Word attachments embedded with Visual Basic for Applications (VBA) macros. When recipients enabled macros to view the documents, the malicious code executed, triggering malware installation on the victim’s system. According to Israeli cybersecurity firm Dream, the operation focused on intelligence gathering and was attributed to Iranian-aligned actors. ClearSky, another leading security firm, confirmed the attribution and linked the campaign with known Iranian cyber threat activities.
Campaign Spanned 104 Compromised Email Accounts
An alarming tactic observed in this cyber espionage operation was the use of 104 hijacked legitimate email accounts to deliver phishing payloads. One notable instance involved an account from the Oman Ministry of Foreign Affairs based in Paris, which lends credibility to the emails and increases the likelihood of successful infiltration.
Victims spanned embassies, consulates, and international organizations across:
- The Middle East
- Africa
- Europe
- Asia
- The Americas
Entities in Europe and Africa emerged as particularly frequent targets. This method of leveraging trusted government domains reflects an advanced understanding of how to bypass security filters and exploit human trust in official-looking communication.
Homeland Justice and Charming Kitten Demonstrate Evolving Techniques
Separate but simultaneously active, another Iranian-linked group known as “Charming Kitten” (APT35) continues to leverage social engineering and phishing techniques that exploit human error rather than software vulnerabilities.
Phishing Tactics Exploit Human Psychology and Social Platforms
Certfa researchers have noted that Charming Kitten employs deceptive emails impersonating Gmail security alerts and fake Google Drive sharing links to steal login credentials. These phishing emails often travel through compromised social media accounts on platforms like Twitter, Facebook, and Telegram, highlighting the multi-channel nature of current threats.
The group customizes its attacks based on victims’ geographical location, digital behavior, and network of contacts. Security experts strongly recommend:
- Avoiding SMS-based two-factor authentication (2FA)
- Adopting hardware-based security keys
- Using PGP encryption for sensitive communications
- Training staff to recognize phishing attempts
- Conducting routine security hygiene reviews across email systems
These measures are especially relevant for diplomatic institutions where human error can lead to significant geopolitical exposure.
Conference-Themed Spoofing Campaigns Target High-Profile Individuals
Both Charming Kitten and another Iranian group, Phosphorus, have been linked to campaigns impersonating organizers of security conferences such as the Munich Security Conference and the Think 20 Summit. These email-based lures target select individuals—former government officials, diplomats, academics, and policy experts—with phishing emails designed to compromise their professional inboxes.
ClearSky reports that these tactics mark a strategic shift toward social engineering-heavy methods, with attackers relying less on malware exploits and more on manipulating users into providing access credentials.
Cyber Espionage as a Strategic Instrument of Foreign Policy
The Homeland Justice campaign against more than 50 embassies and global entities is not an isolated effort but fits a broader pattern of Iranian cyber operations designed to gather intelligence and influence strategic negotiations.
The embassies and diplomatic missions of countries in the Middle East, Europe, Africa, and the Americas, as well as international bodies such as the United Nations and the African Union, have been identified among the targeted entities. This suggests a wide-ranging surveillance objective tied to advancing Iran’s foreign policy priorities through digital means.
Security researchers consistently trace these activities back to Iranian state-backed actors, with the Ministry of Intelligence and Security (MOIS) believed to be directing or supporting many of these campaigns. While attribution in cyberspace is inherently complex, multiple independent sources have validated the indicators linking these operations to Iranian-affiliated threat groups.
Takeaways for Diplomatic and Government Targets
Given the high sophistication and widespread nature of Iranian phishing campaigns, diplomatic institutions and NGOs must reassess their security postures.
Key takeaways include:
- Verify authenticity of diplomatic communications even when sent from historically “safe” addresses.
- Avoid enabling macros in unsolicited Word documents , especially those sent from international sources.
- Transition from SMS-based to hardware-based 2FA across all sensitive accounts.
- Use encrypted, institutional email systems for internal communications rather than personal providers.
- Educate personnel regularly on spear-phishing tactics and indicators of compromise (IoCs).
The evolving strategies of groups like Homeland Justice, Charming Kitten, and Phosphorus exemplify how state actors exploit both technological and psychological vulnerabilities. As these Iranian hackers continue to refine their phishing campaigns, global diplomatic and government bodies must remain vigilant against increasingly personalized and deceptive cyber espionage attempts.
